NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 1 of 27 Dated: 18.03.09 To: All NSI Approved Companies and Applicants where the scope of approval includes the provision of keyholding and response services TECHNICAL BULLETIN No. 0010 Guidance on the implementation of BS 7984:2008, the British Standard Code of Practice for Keyholding and response services. (Supersedes BS7984:2001) BS 7984:2008 shows an effective date of 30 th September 2008 and is now available through licensed outlets including NSI who can supply copies at a discounted rate. BS 7984:2008 will now be applied to all organisations that wish to obtain or maintain NSI Approval for Keyholding and response services, subject to the additional clarifications and guidance within this Technical Bulletin. With immediate effect applicant companies will be assessed against the 2008 edition and any Improvement Needs recorded against clauses of the Standard will have to be satisfactorily addressed before approval can be granted. Existing NSI Approved Companies will however be given until the 30 th June 2010 to fully comply with the revised requirements. After the 30 th June 2010 any failure to fully satisfy the revised requirements will result in the raising of an Improvement Need which if not addressed within the stated Improvement Period may result in a recommendation for withdrawal of NSI Approval. In the interim (up and until the 30 th June 2010) Improvement Observations will be issued for any of the revised requirements within BS 7984:2008 that are not fully satisfied. Failure to address any such Improvement Observations by the 30 th June 2010 will result in their immediate elevation to an Improvement Need. Certificates issued by NSI that specifically reference BS7984:2001 will be progressively updated to reference the 2008 edition, as and when satisfactory evidence of compliance is demonstrated. NOTE REGARDING THE STATUS OF BS 7984:2008: Although issued as a Code of Practice by the British Standards Institution, compliance is regarded as mandatory for all organisations wishing to maintain NSI Approval for Keyholding and Response Services, subject to any additional clarifications and guidance included within this Technical Bulletin or subsequently issued. (The NSI Guarding Gold and Silver schemes for keyholding and response services are UKAS Accredited Product Certification schemes hence the need for mandatory requirements). NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 2 of 27 SUMMARY OF SIGNIFICANT CHANGES (Highlighted under the clauses of the new Standard) Each significant change introduced by BS 7984:2008 (as compared with the 2001 edition) is addressed under the relevant clauses as detailed below on the following pages. Where the actual text from 7984:2008 is quoted it is reproduced in bold text and where it is considered appropriate, further guidance in italics has been provided. In general, it is not the intent of NSI to impose its own preferred methods of compliance with specified requirements and NSI will give full consideration to any alternative methods of achieving compliance with specified requirements. However, section 6.9 of this NSI Technical Bulletin contains some requirements (additional to BS 7984:2008) that are mandatory for NSI approved companies approved against BS 7984:2008. These NSI additional mandatory requirements relate to external key storage facilities at customer premises. FOREWORD The structure of the Foreword has changed. There is now a section on presentational conventions that makes it clear that the recommendations within the Standard are expressed in sentences in which the principal auxiliary verb is “should”. However for approval under the NSI Scheme the note regarding the status of BS 7984 on page 1 of this Bulletin makes it clear that the requirements of BS 7984 are mandatory. Therefore, all references to “should” within the Standard must be read a s “shall” as they are not an option. Some clauses with in the Standard use the word “may”; unless it is stated otherwise under the relevant clause, it is accepted that such references act as an alternative to the primary requirement. Where “can” is used it is to express possibility e.g. a consequence of an action or event. The reference to the Private Security Industry Act 2001 is retained principally to draw attention to the fact that individuals carrying out licensable activities as defined in the Act are required to be licensed. Organisations wishing to maintain NSI Approval need to be able to demonstrate that all relevant deployed personnel hold the appropriate SIA Licence or, if they are a SIA Approved Contractor, that they are covered by a Licensing Dispensation Notice. 1. SCOPE There are no changes to Scope. 2. NORMATIVE REFERENCES No significant change except with reference to: Deletions – BS 4737 Intruder alarm systems – BS 6803 Vehicle security alarm systems – Code of practice for the protection of vehicles and goods in transit. Additions – BS ISO 10002 Quality management – Customer Satisfaction – Guidelines for complaints handling in organisations – PD 6662 Scheme for the application of European Standards for intruder and hold-up alarm systems NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 3 of 27 3. TERMS AND DEFINITIONS Some additional definitions have been added, some minor amendments made to existing definitions and the section sorted into alphabetical order as detailed below: 3.2 Check call . The definition now refers to a “ keyholding response officer ” rather than a response officer. 3 . 4 Customer . The definition has been reworded and now reads “individual or body retaining the services of the organization ” . The reference to “in accordance with a contract” has been dropped. This change appears to have been made to ensure the Standard is still applicable when services are provided in-house or before a written contract has been signed as other definitions refer to “as determined by contractual requirements” . Organisations should be aware that the SIA licensing requirements relate to contracted security and clause 6.2 of BS 7984:2008 requires a signed contract or acceptance to be issued. 3.5 Event. The definition has been reworded and now reads “incident requiring entry or attendance at a customer’s location as determined by contractual requirements ” . 3 . 7 Keyholding response officer . The definition has been reworded and now reads “trained person who attends a location (as determined by contractual requirements) in response to an event and when required provides guarding services ” . This again appears to be influenced by SIA individual licensing requirements for keyholding as opposed to security guarding. Someone holding a keyholding licence would normally be meeting an engineer or client on site and handing the keys over and would not then be licensed to conduct any security guarding activities on arrival at the client ’ s site, so it is sometimes important to emphasise the different roles. Also the following note has been added: Attention is drawn to the PSIA 2001 (1) and the need for private contractors to hold the appropriate licence to undertake designated activities. 3.9 Organization. The definition has been slightly reworded and now reads “sole or main provider of keyholding and response services to a particular customer” 3.10 Principal. A new definition that reads “owner, partner, board director or other top executive in the private sector, or an executive officer in the public sector or a not-for- profit organisation”. 3.12 Secure facility. The definition has been slightly reworded and now reads “facility in which keys and/or assignment instructions are stored and from which they are pro vided in responding to an event”. A note is also included to reference section 6.8 which has detail on the various types of secure facility. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 4 of 27 4. THE ORGANISATION 4.1 Structure The organisation should now possess rather than publish a clearly defined management structure showing control and accountability at each level of operation. Also the details of the ownership of the organization should be established rather than published. NSI Approved Companies shall continue to document their management structure ideally in the form of an organisational chart that clearly shows the reporting relationships and it shall also be clear who the current incumbents are. The defined management structure shall also be communicated to all relevant personnel within the organisation and the organisation shall ensure that individuals are aware of their responsibilities, authorities and accountability. There is a change in BS 7984:2008 (as compared with the 2001 edition) concerning how complaints are handled and managed. BS 7984:2001 stated simply that “the organization should operate a complaints management system”, plus a Note that drew the reader’s attention to the fact that BS 8600 provided guidance on the management of such systems. In BS 7984:2008, the reference to BS 8600 has been updated to reference BS ISO 10002 (guidelines for complaints handling in organizations) which supersedes BS 8600. However, in BS 7984:2008 the reference to the complaints handling guidelines is now no longer merely an informative Note. BS 7984:2008 states that the organization should operate a documented complaints management system in accordance with BS ISO 10002. BS ISO 10002 (guidelines for complaint handling in organizations) is a 23 page document. Nine guiding principles are set out in 4.2 to 4.10. 5.1 speaks of the company’s commitment to effective and efficient complaint handling. 5 .2 recommends that top management should establish an explicit customer- focussed complaints-handling policy, and that the policy should be made available to (and known by) all personnel and also that the policy should be made available to customers and other interested parties. Annex A to BS ISO 10002 gives a half-page of guidance for small businesses. NSI is not necessarily looking for companies to adopt all of the guidelines given in BS ISO 10002. Further information and explanation is given in Annex A to this Technical Bulletin. A note has now been added at the end of the clause on disclosure of unspent convictions to draw attention to the Rehabilitation of Offenders Act 1974. The note relates to the existing and maintained requirement to disclose on request any unspent criminal convictions or undischarged bankruptcy of a principal or director. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 5 of 27 4.2 Finances There is a minor change in the second paragraph with regard to financial backing for Organisations that cannot yet present two year’s audited accounts. Substantial backing is now replaced with adequate financial backing. Also the paragraph refers to “two years’ audited trading accounts” rather than “two years’ trading accounts”. The NSI view on adequate financial backing is to view the resources, financial projections and available balance sheets at the application stage in order to take a view whether the organisation has the resources to finance its current and projected customer base , particularly if there are any delays in payment of invoices for contracted services . When forming its view, NSI may take account of the extent and nature of past business experience of the Principles of the company. 4.3 Insurance No real change to the insurances to be maintained but a note has been added as follows: Note: Where the organisation is solely providing a service in-house (and not contracting out such services), then efficacy insurance and some other types of insurance mentioned in this subclause might not be needed. 5. RESOURCES 5.1 Premises No significant change to the requirement to have an administrative office(s) but inclusion of an additional sentence stressing that “The location of records and documentation, both local and centralised, should be clearly defined by the organisation”. Organisations wishing to maintain NSI Approval shall clearly define the documents to be retained, their minimum retention period and the location/function where they are to be retained. The address of the relevant administrative office(s) shall also be used on all correspondence, promotional material and signage. 5.2 Staff 5.2.1 General No change other than referring to “keyholding response officers” rather than “response officers”. 5.2.2 Selection and screening NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 6 of 27 This section still requires “ all persons undertaking, or having access to details of an assignment, keyholding and response should be selected and screened in accordance with BS 7858 ” but it has been rewritten and some of the requirements previously included elsewhere have been modified as follows: – The requirement for night-time working has been aligned with BS 7499:2007 i.e. “Night -time workers should be offered the opportunity of a medical assessment” with a Note drawing attention to the Working Time Regulations, 1998 part 2 sec 7 (3). It is generally accepted that an initial medical assessment can take the form of a review of a detailed medical questionnaire completed by the employee, provided that there is consideration of the need to seek further medical advice if the responses on the questionnaire leave any doubt as to the suitability of the employee to perform their allocated duties. – The requirement for an annual check on driving licences has been replaced by a requirement for a six-monthly inspection of the same and the most up-to- date copy of the license to be kept on the file. 5.2.3 Health This is a new sub-clause but most of the subject matter was previously included under selection and vetting. In order to comply with age discrimination legislation the requirement for persons over 65 years of age to have an annual medical has been dropped and replaced by the following requirement: “ In order to ensure that the physical condition of keyholding response officers remains compatible with the duties to which they have been assigned, documented procedures should be in place for performing routine health checks and reports. When the physical demands of a person’s duties change their physical condition and suitability should be reassessed as appropriate ” . One of the possible omissions in this Standard is that there is very little reference to any requirements for monitoring the performance of response officers and addressing on-going competency. Many response officers will also carry out mobile patrol visits in accordance with BS 7499 which has requirements for management/supervisory visits. Where keyholding response officers are subject to such requirements the regular supervisory visits or accompanied patrols may well provide a useful vehicle to also confirm that the response officer’s p hysical condition appears to be compatible with their duties and that they have not reported any medical problems or limitations. Even where BS7499 is not applicable, NSI will still expect to see that there is an adequate process for monitoring and management/supervision of the keyholding response officers and this process should also include periodic assessment of the physical condition and suitability to perform the required duties. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 7 of 27 A Note is also included as follows: “ Where health and safety risks or medical concerns are raised, it is reasonable for a company to ask the individual to undergo a medical examination to ensure fitness for duty ”. 5.2.4 Terms and conditions of employment No change except for item l), which now requires details of equipment and uniform supplied to be included in Terms and conditions of employment. 5.2.5 Disciplinary code The only change is to add item 5 to clause l) to reflect the SIA Licensing requirements i.e. failure to notify the employer immediately of any refusal, suspension or withdrawal (revocation) of a Security Industry Authority (SIA) licence also now constitutes a breach of the terms and conditions of employment. 5.2.6 Identification The applicability of this section has been slightly changed in that it previously stated that it applied to employees who have been screened, whereas it now refers to employees, who are required to be screened. Clarification has been added to give an example how to indicate the status and location of withdrawn cards. There is also the incorporation of a note at the end of the section, as follows: “ Where a security officer is required to display a SIA licence this does not negate the need for company identification ” . 5.3 EQUIPMENT AND UNIFORMS 5.3.1 Uniform The 3 rd paragraph now requires “some clothing, such as a high visibility jacket ” to be available when the employee is not in uniform but needs to respond to an emergency call”, a s opposed to “some clothing, which clearly displays the insignia of the organisation” . 5.3.2 Vehicles 5.4.2.1 General No change. 5.3.3 Other equipment No change. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 8 of 27 5.3.4 Equipment records No change. 5.4 TRAINING 5.4.1 General No change. 5.4.2 Induction training No change. 5.4.3 Basic job training: The core requirements for basic (classroom) training have been modified and extended such that they are comparable with those issued by the Sector Skills Body (SSB) and are also therefore comparable with the competency requirements that have to be satisfied in order to obtain a SIA Security Guarding (SG) licence. The training is required to last at least 32 hours, including the examinations. The third paragraph now refers to training persons being “sector -competent, qualified training persons ” rather than “and/or experienced” in addition t o being qualified. If SIA Licensing of individuals is applicable and the training provider is selected from the lists of those recognised by the relevant awarding bodies it can be taken for granted that the trainers will satisfy the requirement to be “se ctor- competent, qualified training persons”. The list of core subjects is substantially different and is as follows: a) introduction to the security industry and the role and responsibilities of security officers; b) patrolling; c) control of access and egress; d) searching; e) security and emergency systems; f) fire safety; g) health and safety at work; h) the law; i) emergencies; j) customer care and social skills; k) communications and reporting; l) equality and diversity; m) communication skills and conflict management. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 9 of 27 5.4.4 Keyholding and response officer training Keyholding and response officer training has now replaced the previous assignment-specific training and the requirements are now much more prescriptive, as follows: Training should last a total of at least 16 hours in addition to the basic job training (see 5.4.3) including an examination and should cover the following core subjects: (a) roles and responsibilities; (b) health and safety issues relevant to the activities of a keyholding response officer; (c ) assessing risks associated with entering sites and premises; (d) legislation, regulation and codes of practise relevant to keyholding and response, particularly Association of Chief Police Officers (ACPO), Chief Fire Officers Association (CFOA) and local police policy; (e) management of keys; (f) operating and interrogating alarm panels to locate cause of alarm; (g) maintaining the security of premises; (h) preserving potential evidence; (i) reporting and documentation requirements relevant to response visits; j) navigational skills. It is understood that through the sector skills body a training module for the above is being developed but at the time of publishing this bulletin it is not yet available. Until such time as such a module is available organisations wishing to obtain and maintain NSI Approval will be expected to have developed their own training package that demonstrates that the referenced core subjects have been satisfied. It is for this reason that a transition time of fifteen months has been granted for existing NSI approved companies, in order to give ample time for the development of the required training module. The requirement also includes the need for an examination which could simply be completion of a multi-choice paper but there should be a clearly defined pass level that the potential keyholding response officer is expected to achieve. Failure to achieve the required pass level shall trigger re-training for the elements that the officer has failed to demonstrate an adequate understanding of. The requirement for a performance assessment within the first three months of employment has been retained but it now includes the need for the performance criteria to be comparable with the core competencies as defined by the Sector Skills Body. As a minimum the assessment should confirm that the keyholding response officer understands his duties and responsibilities covered by item a) to j) of the list of requirements for keyholding and response officer training, detailed in paragraph 5.4.4. 5.4.5 Response centre training NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 10 of 27 Two new requirements have been added: i) now requires training to include collation and provision of information about response events; j) now requires training to include allocation of resources for keyholding response. Specialist training (5.7.6 in the previous version) has been now removed. 5.4.6 Takeovers No change. 5.4.7 Refresher Training No change. . 5.4.8 Contingency Training No change 5.4.9 Vocational Training Slight rewording but no significant change. 5.4.10 Training Records The requirement for training records to be reviewed annually has been dropped but the requirements for training to be accurately recorded on a form specific for the purpose and signed by trainee and trainer has been retained. There is now also a specific requirement that “w here a certificate of competence is provided by a recognized and relative sector competent training organization, a copy should be retained ” . 5.5 Suppliers 5.5.1 Suppliers of subcontract labour No change. 5.5.2 Qualifications of suppliers’ personnel The list of items to be satisfied when using subcontractors now includes item f) a requirement to ensure that subcontractors are appropriately licensed by the SIA. 5.6 Documents and Date (a new paragraph added) Requirements for maintaining documents and data have been revised and consolidated under this new clause, as follows: Separate records (hardcopy or electronic) should be maintained for each NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 11 of 27 customer, employee and supplier. The records should be held in a secure manner, but should be easily accessible to authorized persons who have been screened (see 5.2.2). Amended and/or updated records should be identifiable by date and clearly distinguishable from previous versions. Information stored in an electronic retrieval system should be regularly backed-up. The back-up copies should be stored separately. MARGIN NOTE 1 Further information on the management of electronic data can be found in BS ISO/IEC 27001. Advice on the storage of electronic media can be found in BS 5454. Archived records should be clearly indexed. All records concerning a contract should be maintained for at least 12 months. Note 2 Minimum periods for retention of records can be reviewed if applicable for particular purposes, especially with regard to potential liabilities for civil action. Such records should include: (a) all issues of assignment instructions; (b) key registers and incident reports; (c ) details of persons deployed to the assignment. An employee’s basic records (as detailed in BS 7858) should be kept for at least 7 years from the cessation of their employment. NSI interpretation of the above clauses is that with the exception of the employee records, there should be a minimum of twelve months retention for all records that provide evidence of compliance with specified requirements so that such activities can be subsequently audited. However certain types of contract specific records should be maintained for longer periods not only with regard to potential liabilities for civil action but in order to comply with legislation and or satisfy appropriate authorities. Also, some contract information may need to be held for a longer period to meet Revenue and Customs (HMRC) requirements. As items like Assignment Instructions can be regarded as an extension of the contract as well as providing working instructions for the response officer it is sensible to keep previous issues for a period in excess of the minimum twelve months. Organisations wishing to obtain or maintain NSI Approval for keyholding response services are expected to demonstrate that they have clearly defined retention times that they believe fully protect them from any potential liabilities for civil action and take note of any specified requirements in BS7984, BS 7858 or any relevant legislative requirements. 6.0 SERVICE NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 12 of 27 6.1 Sale of services 6.1.1 Contacting prospective customers No change. 6.1.2 Customer information Item c) of the list of basic information to be supplied to potential customers now includes the “SIA Approved Contractor Scheme” status. NSI view on this, is that if a company is approved under the SIA ACS Scheme this should be referenced but unless it becomes a specific requirement of the ACS scheme it need not include details as to the level of achievement or score obtained on a verification visit. Item l) has now a note which says: Terms and conditions of employment might include the average hourly rate of pay and the maximum number of hours in a typical working week. 6.1.3 Quotations (Drafting of contracts in the previous version) “Drafting of contracts” from the previous version has been now divided between two sections: “Quotations” and “Contracts”. The first paragraph of Quotations reads now, that a “clear written quotation should be provided by the organization” rather than “should be agreed between the organization and the customer”. The latter part of the first paragraph has been completely reworded and reads now “If the quotation is accepted by the customer, it should form part of the contract (see 6.2) ” . Item b) of the requirements for a quotation now includes : Note 1 Costing can include information on the gross pay of personnel. Item c) has now an afternote added: Note 2 The contract might not necessarily be for a specified period, but can take the form of a temporary works order. Item h) has now been modified and now states “the obligation of the organization to maintain confidentiality with respect to information obtained whilst tendering for or fulfilling a contract;” Three new/modified items have been added and read as follows: Item e) “details of the customer’s requirements, derived from an initial site inspection (6.3) or from the custo mer’s written instruction, and including clear cross-reference to any separately documented requirements or instructions; NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 13 of 27 Item k) the obligation of the customer to provide and/or maintain any specified item or service, which the customer has agreed to provide and which is necessary for fulfilling the assignment; Item l) the obligation of the customer to satisfy themselves that if an external key storage facility at the customer premises (see 6.9) is to be used that this method of storage is acceptable to their insurers. See also Section 6.9 of this Technical Bulletin. 6.2 Contracts Three new paragraphs have been added and read as follows: The customer should be asked to sign either: a) a form of acceptance indicating that they have read and understood the quotation, terms and conditions; or (b) a contract document referring to the quotation, terms and conditions. The contract should be agreed and exchanged before work commences, or, in case of great urgency, as soon as practicable. If the quotation, terms and conditions are accepted but include amendments or optional extras, the organization should conform in writing the agreed changes now within 7 days . 6.3 Initial site inspections No significant change, although a note has been added to the first paragraph stating “Attention is drawn to the requirements of the Hea lth and Safety at Work Act, 1974 (4) ” . Organisations are reminded that under health and safety legislation they are still responsible for the health & safety of their officers even though they are working on the client ’ s site. NSI expect to see that there is a documented risk assessment and that there is a method of assessing both the probability of the risk and its significance. The control measures necessary to control the risk should also be clearly stated and the risk assessments should be carried out by competent personnel. 6.4 Keyholding and response to events 6.4.1 General An additional sentence has been added as follows: “The organisation shall respond in accorda nce with the contract they have with the customer”. This is a useful note and its main impact will be on response times e.g. if the contract references a twenty minute response time then every effort must be made to respond within this time. However the majority of contracts may well NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 14 of 27 lean on the fact that they are shared services and that the organisation will use their best endeavours to respond in a timely manner. 6.4.2 Keyholding response officers The first paragraph has been re-worded and reads now “Keyholding response officers should be in possession of up-to-date assignment instructions when responding to an event.” The following sentence has been added to the second paragraph “Where electronic check calls are made they should be made by a secure method that identifies the individual”. The 3 rd paragraph now has a clarification that “ a record should be made by either the keyholding response officer or the response centre ” . 6.4.3 Follow-up No changes. 6.5 Key Management 6.5.1 General No changes. 6.5.2 Initial receipt of keys No changes. 6.5.3 Control of keys (previously 6.5) The first paragraph has been slightly reworded. The first sentence of the paragraph now requires that each set of keys should be controlled in a manner that prevents misuse . Also the word “the key record” has been replaced now by the word “the key register”. The rest of the section has been modified but there are few fundamental changes. The modified clauses now read: Where keys are managed by the organization, but are not solely for its use, a register describing the keys and their status and location should be maintained. When not in use, keys should be kept within a response centre or secure facility located within the premised owned or leased by the organization (to which access is restricted to the organization’s employees). If the secure facility is within a vehicle, the vehicle should be protected as described in 6.8.4. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 15 of 27 The above clause does not appear to reflect the addition of clause 6.9 on key s torage at customer’s premises. Storage at the customer premises is permitted in accordance with the guidance given under clause 6.9. Each set of keys should be stored ready for inspection at all times. The set of keys should be uniquely numbered and the number recorded in a key register (see 5.2.7). Keys should be coded in a manner that does not indicate directly the name and address of the site which they belong. Address relating to the key codes should be recorded in the key register. When not in use, the key register should be kept within another area within the secured facility. At least weekly, the organization’s management should confirm that the stored keys match the key register and that all movements have been properly recorded. Where keys are held which are not in regular use (i.e. daily or weekly), these should be kept in a manner which would indicate any use, such as a separate key cabinet which is additionally secured with a security seal. NOTE During the weekly check, the management would only need to check the security seal and not each individual key, unless the seal has been broken. At least quarterly, the management should break the seal and confirm that all stored keys match the key register. The organization should confirm and record that this procedure has been carried out. NSI accepts that if it can be verified that each key on the ring or in the keyholding pouch can be fully verified without breaking the seal, then it shall not be necessary to break the seal and apply a new one simply to perform the quarterly check. Situations where this may be practicable include pouches with large transparent windows where the keys can be sufficiently manipulated within the pouch without actually opening it and breaking the seal. Keys should be kept in a secure manner or within a secure vehicle. Keys fixed to a carrying device should remain in the possession of the keyholding response officer during the attendance of an event. If the keys are kept in a vehicle safe (see 6.8.4) the vehicle should be locked when not occupied. When the vehicle is not operational, keys should not be kept within it. In defining whether a vehicle is operational the following guidance needs to be considered: If a vehicle is on stand-by and parked on the Company’s own premises it can generally be consided to be still operational and the keys may be retained within. However if for example the vehicle is parked up during office hours in a general area where any activation of the vehicle alarm system may not be immediately apparent, then the vehicle will be designated as non-operational and the keys shall be removed. At the end of each assignment, keys that have been issued should be returned and inspected to ensure that the keys remain securely affixed. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 16 of 27 All key movements in and out of storage should be registered in the key register. 6.5.4 Returning and disposal of keys The only change is to the retention period for records of unclaimed keys, which has been specified as 7 years . 6.6 Assignment instructions No changes. 6.7 Response Centre 6.7.1 General No changes. 6.7.2 Construction No significant change except that the reference to BS 4737-1 has been dropped and PD 6662, grade 3 has been added to the BS EN 50131-1 reference. A note has been added as follows: In the case of a keyholding response centre commissioned prior to 1 January 2006, existing alarm systems can be used. If the response centre has been commissioned prior to the referenced date NSI will accept that the acceptance critieria shall be as per the 2001 edition of BS 7984 which references BS 4737-1 for emergency doors and BS 4737-2 for the alarm system. 6.7.3 Facilities (previously amenities) The term “a deliberately operated remote – signalling alarm system” has been now replaced by the term “a hold -up remote-signalling alarm system conforming to BS EN 50131/PD 6662 ” (previous reference was to BS 4737-2). An additional paragraph has been added as follows to ensure continued operation of the response centre in the event of power or system failure: “ Where computerised and/or electronic systems are in operation, adequate resources should be available to ensure continued operation of the response centre in the e vent of power or system failure”. This does not necessarily mean that each response centre should have for example a back up emergency generator but it will be up to each approved company to demonstrate that the intent of this clause can be satisfied by whatever means which could include use of laptops, switching activitiy to an alternative centre etc. 6.7.4 Procedures No change. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 17 of 27 6.7.5 Operations No change. 6.7.6 Records No changes except that the pre-note regarding reviewing minimum periods for retention of records has been omitted. 6.7.7 Personnel and equipment No change. 6.8 Secure facility 6.8.1 General No change. 6.8.2 A 24 hour manned building facility No change. 6.8.3 A non-24 hour manned building facility No significant changes except updating standards from BS 4737 to PD 6662. 6.8.4 A vehicle used for the storage of keys. The item a) the requirement for vehicle safes now reads “one or more vehicle safes to be constructed of hardened steel at least 2 mm thick” . Some existing vehicle safes may have been constructed from nominal imperial thickness plate that could measure out marginally below the minimum metric measurement. Provided there are no other issues in relation to the construction and use of such safes then they will be allowed to continue in use for the life of the vehicle they were designed for. Item d) no longer has a requirement for the vehicle alarm to be in accordance with BS 6803-3 6.9 Key storage at customer facilities (a new paragraph added) A new paragraph has been added that advises companies that utilise external boxes or vaults (also referred to as externally mounted key-safes) at the client’s premises to obtain a written acknowledgement and acceptance from the customer of the potential risks to key security from the use of such boxes or vaults. A note is also included that t he use of a key storage facility at the customer’s premises by means of external boxes or vaults might not be as secure as the methods described in 6.8.1. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 18 of 27 As noted earlier in this NSI Technical Bulletin, 6.1.3.1 of BS 7984:2008 requires that the quotation document should state the obligation of the customer to satisfy themselves that if an external key storage facility at the customer premises (see 6.9) is to be used that this method of storage is acceptable to their insurers. The potential risks to key security from using such boxes or vaults are of concern to insurers and also to NSI. Some insurers take the view that use of site keyboxes at alarmed premises (particularly at premises fitted with alarm systems providing alarm ‘confirmation’, unset by use o f a physical device (a fob or key) which will need to be stored alongside the keys) is a potentially serious security weakness. This is because any intruder gaining access to the key box (either opening it at the premises, or removing it and then opening it elsewhere before returning to the premises ) will have in their possession the physical means to unlock the premises and to unset the intruder alarm. This would give unfettered access to the whole premises, with the potential for serious damage or loss. The situation is further complicated in that there is no widely recognised security standard for the manufacture or construction of external key boxes. In certain circumstances, if a key box is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. It is important that any key box be of secure and robust construction (and securely attached to the building, or securely anchored to the ground), having regard to the perceived level of risk. There are a number of different types of key boxes commercially available. Generally, they can be divided into two categories: anti-tamper key safes that are wired into the intruder alarm system stand-alone key units without any link to an intruder alarm. CENELEC Technical Specification CLC/TS 50131-7:2003 (application guidelines for intruder and hold-up alarm systems) states (at G.26) that the following issues should be considered in relation to external boxes for retaining keys: supervision against opening and removal concealment of external wiring OR provision of the appropriate level of tamper protection. In view of these factors, NSI has decided that the following requirements apply, in addition to the provisions within BS 7984:2008:- MANDATORY ADDITIONAL NSI REQUIREMENTS: Where a contract (or a proposed contract) includes the supply of an external key storage facility at the customer premises or is based on the use of such a facility, the following apply (as mandatory additional NSI requirements): 6.9.1 The quotation or specification shall include a statement in the terms set out in Section B.1 of Annex B to this NSI Technical Bulletin (or in words to like effect). 6.9.2 The contractual documents shall include a statement signed by the customer, in the terms set out in Section B.2 of ANNEX B to this NSI Technical Bulletin (or in words to like effect). NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 19 of 27 6.9.3 The NSI approved company’s procedures for the control of keys shall take into account the need to ensure that there are adequate controls in place to minimise the potential for miss-use or un-authorised access. The approved company shall be able to demonstrate a reasoned case that the controls are adequate, having regard to the perceived nature and extent of the risk and the other material circumstances. 6.9.4 The NSI approved company shall retain evidence that it has informed its own insurer that it supplies external key storage facilities at customer premises and/or that it provides response services involving the use of external key storage facilities at customer premises, and evidence that the insurer has accepted the risk. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 20 of 27 ANNEX A Guidance on the application of BS ISO 10002 (guidelines for complaints handling) for NSI approved companies BS ISO 10002: 2004 is a 23 page document. It is titled guidelines for complaints handling in organizations. Section 0.2 (Introduction) in BS ISO 10002: 2004 states that the document is not intended for certification or for contractual purposes. Section 1 (Scope) in BS ISO 10002: 2004 states that the document is intended for use by organizations of all sizes and in all sectors. Annex A in BS ISO 10002: 2004 focuses on a simple process designed for easy implementation, which may be particularly suitable for small businesses. NSI commends the guidelines given in BS ISO 10002: 2004. However, NSI accepts that there are some NSI approved companies (including large companies) that may consider that adopting in full the recommendations given in BS ISO 10002 is not justified. By way of general guidance, provided that a company operates a customer-focused complaints- handling process, and the company’s complaints handling record is generally satisfactory, NSI is likely to consider it adequat e if the company’s complaints -handling system is generally in accordance with the principles, processes and practices described in the model or example Complains-handling policy statement given below. Model or example customer-focused complaints-handling policy statement ABC Security Limited Complaint Handling Policy Statement We are actively committed to effective and efficient handling of complaints made to us relating to our products and services, or relating to the complaints-handling process itself, where a response is expressly or implicitly expected. NOTE: This policy statement does not apply to disputes referred for resolution outside our organization or for employment-related disputes. We have regard to the following nine guiding principles for the effective handling of complaints: A.1 Complaints handling policy We have a customer-focused complaints-handling policy. NSI comment: In the case of companies operating to ISO 9001, this policy should be documented, and it should form part of (or be aligned with) the company’s Quality Management System. In the case of companies not operating to ISO 9001, it is desirable that the complaints-handling policy be documented, but NSI inspectors are willing to accept complaints- handling policies not committed to writing if there is evidence that in practice complaints are handled in a customer-focused way and in a way generally in line with the model or example policy given in this annex. A.2 Top management commitment We can demonstrate that our top management are committed to our company’s customer-focused complaints-handling policy. NSI comment: One of the ways of demonstrating top management commitment is by the provision of adequate resources and training. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 21 of 27 A.3 Guiding principles of complaints handling Our complaints-handling system has regard to the following nine guiding principles. NSI comment: Where examples are given, they are given to guide companies as to the sort of matters to consider under each of the nine headings. It is not considered by NSI as essential that every company adopts all of the examples. Each company should adapt the text in the nine bullet points, so as to show the items the company has in fact adopted. Accessibility: Examples include the following: The complaints-handling process is accessible to all complainants. Information on how to make complaints is available, and information on how complaints are resolved. The complaint-handling process (and the supporting information) is easy to understand and easy to use. The information is written in clear language. Responsiveness: Examples include the following: Each complaint is acknowledged to the complainant promptly. Complaints are addressed promptly in accordance with their urgency (significant health & safety issues are processed immediately) . Complainants are treated courteously and they are kept informed of the progress of their complaint through the complaints-handling process. Objectivity: Each complaint is addressed in an equitable, objective and unbiased manner through the complaints-handling process. Charges (Fees): Access to the complaints-handling process is free of charge to the complainant. Confidentiality: Personally identifiable information concerning the complainant is available where needed, but only for the purposes of addressing the complaint within the organization, and is actively protected from disclosure unless the customer or complainant expressly consents to its disclosure. Customer- focused approach: The company adopts a customer- focused approach. The company is open to feedback including complaints, and shows commitment to resolving complaints by its actions. Accountability: The company makes sure that lines of accountability and reporting on actions and decisions with respect to complaints are clearly established. Continual improvement: The continual improvement of the complaints- handling process and also of the quality of the company’s services is a permanent objective of the company. NSI Comment: The above nine guiding principles are based on 4.2 to 4.10 of BS ISO 10002: 2004. We have regard to relevant statutory and regulatory requirements NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 22 of 27 We also take into account the financial, operational and organizational requirements of the business We take into account the input of customers, personnel and other interested parties We have regard to the eight steps (identifying eight key areas, with suggestions for action in each) given in the attached checklist (see Annex C). The checklist is intended to assist companies, in that it identifies eight key areas where a company may wish to focus its attention so as to achieve maximum effectiveness and efficiency from a simple complaints-handling process. This policy statement is adopted by the board of directors of the company and it applies with immediate effect throughout the company. A B Smith AB Smith Managing Director Date………… NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 23 of 27 ANNEX B MODEL OR EXAMPLE STATEMENTS AND DECLARATIONS FOR USE WHERE A KEY STORAGE FAILITY AT CUSTOMER PREMISES IS SUPPLIED OR USED (OR IS TO BE SUPPLIED OR USED) B.1 Model or example statement (for quotation or specification) It is important that you be aware that the use of a key storage facility at a customer’s premises by means of an external box or vault might not be as secure as the methods described in sub-clause 6.8.1 of the British Standard code of practice for keyholding and response services BS 7984: 2008. The potential risks to key security from using such boxes or vaults are of concern to insurers. In certain circumstances, if a key box or vault is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. It is essential therefore that you check with your insurer and that you satisfy yourself that this method of storage is acceptable to your insurer. In premises that have an intruder alarm system, the following statement shall also be included: If there is an intruder alarm system at your premises, you should also consider the following: arranging for your intruder alarm company to provide supervision of the key box or vault against opening and removal concealing the external wiring (if any) providing an appropriate level of tamper protection. B.2 Model or example customer declaration: We confirm that we are aware that the use of a key storage facility at a customer’s premises by means of an external box or vault might not be as secure as the methods described in sub-clause 6.8.1 of the British Standard code of practice for keyholding and response services BS 7984: 2008. We are aware that the potential risks to key security from using such boxes or vaults are of concern to insurers. We are aware that, in certain circumstances, if a key box or vault is used without the express knowledge and consent of the insurer, there might be a risk of an insurance claim being refused. We acknowledge and accept the potential risks to key security from the use of such boxes or vaults. We confirm we have checked with our insurer and that that we have satisfied ourselves that this method of storage is acceptable to our insurer. [Or (where a customer is un-insured or self-insures) the following text may be used in place of the immediately preceding sentence: We confirm that we are un-insured or that we self-insure and that we fully accept the potential risks associated with this method of storage]. In premises that have an intruder alarm system, the following customer declaration should also be included: We confirm that we have considered the following, and that we have discussed these matters with our intruder alarm provider: NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 24 of 27 arranging for your intruder alarm company to provide supervision of the key box or vault against opening and removal concealing the external wiring (if any) providing an appropriate level of tamper protection. Signed…………………….. Date…………………………. Name of signatory (in block capitals)…………………………… Position held………………………………………………………. For and on behalf of (name of customer company or o rganization)……………………………………………………… ********************** NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 25 of 27 Annex C NSI Checklist to verify the adequacy of a complaints handling process based upon the eight steps or key areas referenced within Annex A of BS ISO 10002:2004 Key areas identified within Annex A of ISO 1002 Requirements/lead questions Possible evidence Req. satisfied Y/N (if no ref IN/IO or AN) Comments 1. Be open to complaints 1a. Is it clear that the organization is willing to receive and proces s relevant complaints? 1b. Are customers and personnel generally aware of this? 1c Are customers aware of whom they can/should contact if they wish to raise a formal complaint? Specific documented complaint handling policy statement or suitable words wit hin an existing Quality or similar Policy. Alternatively standard clause in tenders, quotations, contracts, sales brochures, web – sites or on invoices etc. Incoming telephone calls from any interested party wishing to lodge a complaint – receptionist and o ther relevant staff etc know who to pass the call to or can explain the process and provide the complainant with details of the complaints process. Client facing staff (contract/customer service managers etc) demonstrate awareness of the process for handl ing complaints. 2. Collect and record complaints 2a. Are all relevant complaints captured and recorded? 2b. Is there a clear understanding as to what constitutes a complaint? Central register of complaints (hard copy or system based) and/or standard p roforma that ensures that all relevant information is captured. Clear understanding of difference between a query/enquiry and an actual complaint and awareness of whether this includes verbal comments/feedback from customer questionnaires or service evalua tion reports etc. 3. Acknowledge receipt of the complaint 3a. Is receipt of the complaint acknowledged? Letter, email or recorded telephone call. NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 26 of 27 4. Assess the complaint for validity and impact 4a.Is the complaint assessed on receipt to verify its potential consequences/impact and the need for immediate and/or urgent action? 4b. Is the complaint drawn to the immediate attention of senior management if it relates to potential breaches of legislation, significant Health & Safety issues or security lapses that could place the contract immediately at risk. Recording of who is tasked to handle the complaint and who has also been copied in to make them aware of it. Sufficient awareness on the part of the person logging and assigning the complaint that they u nderstand its potential impact/consequences. 5. Resolve as soon as practicable 5a. Is it clear that complaints are subject to timely and appropriate investigation? 5b. Is appropriate corrective and preventive action then taken? Recording sufficient deta il in the register or on a complaint form and/or other relevant documentation to show the adequacy of the investigation and the action taken to resolve it and minimise the likelihood of a reoccurrence. 6. Give information to the complainant (customer or other relevant stakeholder or interested party) 6a. Is the decision or any action taken regarding the complaint (which is relevant to disclose to the complainant or the personnel involved) communicated as soon as possible after the decision or action is taken? 6b. Is the complainants reaction to any communicated decision or action noted and where relevant addressed? Evidence that the complainant’s reaction to the disclosed information or decision is evaluated to determine whether there is any need to take additional action or review the action already taken. 7. When all possible has been done to resolve the complaint, record the outcome and close it out 7a. Does the complaints register and/or form verify whether the complaint has been closed out and record whether or not the complainant accepted the decision or action taken? Clear recording of the status of all complaints so that it is easy to establish those that are closed – out as opposed to those that are still open. With open complaints clear recording of whether the investigation is not yet complete or NSI Technical Bulletin No. 0010 Guidance on the implementation of BS 7984:2008 Keyholding and response services – Code of Practice 27 of 27 7b. Where the complainant rejects the communicated decision or action taken is the complaint left open and where relevant is the complainant informed of any alternative forms of recourse available. wheth er they are left open to ensure there is an adequate period of further on – going monitoring. Where the complainant expresses his total dissatisfaction with the complaint investigation and actions taken and makes it clear he wish to take the matter to a high er level, evidence that the organization discloses who their certification body or approval authority is. 8. Review complaints regularly 8a. Are complaints subject to a brief periodical review and a more intensive annual review to establish whether there any trends or obvious aspects that could be put right to stop complaints occurring, improve customer service, or make customers more satisfied? Management review and internal audit records. Report produced by the complaints co – ordinator to highlight any overall issues, trends etc and issued to and/or discussed with the Senior Management Team.